Internal Control Environment

Internal Controls Overview

Internal control is a process, effected by management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations

Internal control systems operate at different levels of effectiveness. Internal control can be judged effective in each of the three categories, respectively, if the organization’s leadership has reasonable assurance that:

• They understand the extent to which the entity's operations objectives are being achieved.
• Published financial statements are being prepared reliably.
• Applicable laws and regulations are being complied with.

Internal control consists of five interrelated components:

• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring

Control Environment

The control environment sets the tone of an organization, providing discipline and structure. Control environment factors include:

• The integrity, ethical values and competence of the entity's people
• Management's philosophy and operating style
• The way management assigns authority and responsibility, and organizes and develops its people.

The following is a summary of the control environment within the Office of the University CIO at Harvard.

Staff Values

As a service organization, UIS must continually demonstrate commitment to providing our customers with the IT products and services they need, at competitive prices, delivered in a customer oriented manner. To ensure this, UIS has adopted the value compass (depicted at the right) which serves to remind staff of UIS’s way of working with our customers in the Harvard community. The value compass integrates behaviors such as ingenuity, dependability, efficiency, and interaction into a model for the entire organization.

Management Philosophy and Operating Style

In Harvard's highly decentralized IT environment, the Office of the University CIO plays a unique role in the daily life of the University. We are responsible for providing a dependable and robust technology infrastructure and delivering effective IT services in support of the academic and administrative goals of the Harvard community. We provide both basic and enhanced information technology services to faculty, staff, and students and work with senior IT planning groups such as the University Technical Architecture Group (UTAG) and the IT Forum, as well as customer and peer advisory groups to evaluate and plan for the introduction of useful technologies.

Staff Competencies and Resource Development

Training and career development is critical to the ongoing success of the Office of the University CIO. Therefore, we participate in a number of professional development opportunities that incorporate elements of work skill and specific competencies, and are designed to assist staff and managers in developing career paths for individuals, in addition to assessing, developing, training and rewarding employees across the organization.

Both professional competencies and technical skills are important to success within the organization. Core competencies reflect a broad set of professional skills that are common across all of the organizations positions, regardless of role. All employees are expected to exhibit these competencies. (See insert at right)

Professional competencies that are most beneficial to employees are offered in a number of different ways, including Leadership Development Programs, peer consortiums and conferences, continuing education programs, etc. Technical skills, on the other hand, reflect the in-depth knowledge required to perform a specific role/job and are defined for a specific discipline or job family (e.g. Applications Programming, Network Administration). All positions require technical skills, and the specific types of skills may vary from one job group to another.

Assigning of Authority and Responsibility

Authority and responsibility is assigned downward in the organization through management. The ability to access confidential information, spend University resources, or oversee operational activities should only be given to those that need the responsibility as part of their job description.

Access to Confidential Information Forms are provided by the CAIT Human Resources group and should be signed by individuals whose roles require access to such things as payroll, credit card information, ID numbers, etc.

Purchasing Authority Forms are provided by the Central Accounting group and should be signed by individuals whose roles require that they procure products and services for the University.

The oversight of operational activities and the ability to make key business decisions should be clearly outlined in the individual job descriptions.

Organizational Structure

The Office of the University CIO has over 300 FTE’s involved in delivering IT services to the Harvard Community. These staff are involved in activities that are very diverse, including business and production operations, technical consulting, programming, customer service, administration, financial support, etc. In addition to enabling us to deliver quality IT products and services, this important balance of backgrounds, skills and styles have made this an exciting environment for management and staff.

Each group within the organization functions as an independent service area, however, all groups work across the organization to provide integrated solutions to the continuously evolving IT needs of our customers. Within the organizational model, plans are driven by the needs of the customer base with significant participation from the Harvard community. Members of the organization participate in industry groups and higher education forums to keep current on external trends and industry direction. All service units receive support from a shared human resource and financial structure.

Risk Assessment

Risk assessment is the identification and analysis of risks relevant to the achievement of the objectives, forming a basis for determining how the risks should be managed.

The following is a list of some (but not all) of the periodic activities within the Office of the University CIO designed to identify, assess and mitigate against known and unknown risks:

Operational:

• As part of the annual Organization-wide goal setting process management is required to define future risks associated with planned goals, including mitigation plans
• On an annual basis, business management must define and discuss the internal and external operating risks that could potentially impact the business with the University CIO, including plans to mitigate the potential impact.
• On an on-going basis, all directors and business managers participate on the organizations Emergency Response and Disaster Recovery Team. Potential internal and external risks are assessed and detailed recovery plans are put into place to ensure service continuation or resumption following an incident.

Financial:

• Senior Financial Management is closely involved in the budgeting, forecasting, rate model development, and performance review processes. All major fluctuations, unusual trends, and unexpected changes in results are escalated to senior management.
• Within the Financial Services organization there is a Policy and Procedure team, whose role is to review the existing control environment, identify potential risks and draft and enforce policy as needed.

Control Activities

Control activities are the policies and procedures that help ensure management directives are carried out, and ensure that necessary actions are taken to address risks to achieving the organizations objectives. Control activities include a wide range of activities such as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.

The following is a list of some (but not all) of the control activities that take place within the Office of the University CIO:

Approvals & Authorizations:

• Purchasing Authority can only be delegated to individuals by upper management
• Purchasers must be on the centrally maintained list
• Individuals must review and sign internal policies around purchasing responsibilities
• Only individuals in Central Finance and Accounting have payment signature authority
• All capital purchases must be in compliance with the “Capital and Debt Policy” and reviewed and approved by Senior Management
• All contracts must be in compliance with the “Contract Review, Approval and Management Policy” and approved by Senior Management
• All changes to salaries must be approved by the group director and Human Resources

Verifications:

• Vendor invoices are compared to purchase orders, receiving reports and contracts (3-way matching)
• Costs are compared to budget on a monthly basis
• Costs and rates are benchmarked against other peer institutions, and outside service providers
• Physical inventories are verified to system inventories and GL balances

Reconciliations:

• All balance sheet accounts are reconciled on a regular (usually monthly) basis
• Overall fluxuations in balance sheet activities are analyzed and reported in the “Summary of Annual Operating Results”
• Flux analysis is done semi-annually with the central University financial office
• Revenue is reconciled monthly (business systems to GL)

Reviews of Operating Performance:

• Detailed transactions are reviewed monthly by business managers and financial analysts and compared to budget and forecast data.
• Operating results are published and distributed monthly to all executive, senior and business managers.

Security of Assets:

University owned assets (e.g. data, information, inventory, facilities, equipment, etc.) are highly protected, both physically and financially. Controls have been established to prevent and detect security breaches at all levels.

• Data and information are backed-up and stored as part of disaster recovery planning, which ensures that University-wide and local UIS information can be restored in the event of a building, system or infrastructure failure.
• Great measures are taken to ensure our locations are kept secure and environmentally safe, preventing losses due to theft or physical catastrophe.
• All physical assets of financial value are tracked and reconciled on the University general ledger system, as well as on local asset management systems, which assists management in understanding the assets managed by their organizations and for aiding in future capital planning activities.
• Pre-employment screening is performed for potential employees who would have access to financial assets (e.g. credit card information, cash, etc.) as part of their role.

Separation of Duties:

• All Financial staff report to a central financial organization and not to business management
• Capital transactions must be reviewed by at least two layers of approval authorization
• All invoices must be approved both outside and inside the central Accounting Office

Information and Communication

Information

Pertinent information must be identified, captured and communicated in a form and timeframe that enables employees to carry out their responsibilities. Information systems produce reports containing operational, financial and compliance-related information, that make it possible to run and control the business.

The following is a list of some (but not all) of the reports and other information that are used to maintain operational controls:

Management Reports:
• Operating reports on personnel allocations, inventory, revenue and billing (e.g. open jobs)
• Customer reports on capacity and usage, customer trends and market share
• Exception reporting on customer calls, issue tracking and incident reporting

Financial Reports:
• Transaction reports including GL detail
• YTD summaries and variance to budgets
• Budget and Forecast Reports
• Project Tracking Reports
• Capital equipment and debt

Other Information:
• Vendor reports
• FTE Reports
• Ad Hoc Reporting
• Rate and cost allocation models
• Annual Financial Report
• Financial Handbook
• Chart of Accounts Publication
• Consolidated Organization-wide Goals

Communications

Effective communication must occur in a broader sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system and have a means of communicating significant information upstream. There also needs to be effective communication with external parties, such as customers, suppliers, regulators and shareholders.

Below is a list of some (but not all) of the communication vehicles within the organization:

Downward in the Organization:
• Annual Directors Off-site
• Business off-sites
• Annual Meetings
• Policies Distributions (with signatures required)
• Weekly staff meetings
• Performance Review Process

Across the Organization:
• The Financial News is distributed at least quarterly and includes policy changes and updates, best practices, and other financial information.
• All policies are distributed electronically and are published on the department web site.
• The Human Resources News is distributed regularly with information of interest to staff.
• DLS (Desktop and LAN Support) Tips are distributed weekly with information on desktop security, best practices and other helpful PC user information.
• Broad email announcements are used for ad hoc communications
• The internal web site contains policies, procedures and other information to assist staff

Upward in the Organization:
• Brown bags and informal luncheons
• Quarterly Town Meetings
• Management Team meeting
• Exit Interviews

Monitoring

Internal control systems need to be monitored to assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported to top management.

Roles and Responsibilities

Everyone in an organization has responsibility for internal control, including:

Management -
• The chief executive officer is ultimately responsible and should assume "ownership" of the control system and set the tone that affects integrity and ethics and other factors of a positive control environment. The CEO should provide leadership and direction to senior managers and review the way they are controlling the business.
• Senior managers, in turn, assign responsibility for establishment of more specific internal control policies and procedures to personnel responsible for the unit's functions.
• Financial officers and their staffs control activities that cut across, as well as up and down, the operating and other units of an organization.

Internal Auditors - Internal auditors play an important role in evaluating the effectiveness of control systems, and contribute to ongoing effectiveness. Based on organizational position and authority in an entity, an internal audit function often plays a significant monitoring role.

Other Personnel - Internal control is, to some degree, the responsibility of everyone in an organization and, therefore, should be an explicit or implicit part of everyone's job description. Virtually all employees produce information used in the internal control system or take other actions needed to affect control. In addition, all personnel should be responsible for communicating to upper management problems in operations, noncompliance with the code of conduct, or other policy violations or illegal actions.